ZZ9's questions

We are in the process of setting up sssd to be used with active directory using the config below.

We do not use attribute mapping as we want to use attributes defined in the AD ldap objects such as custom uid, unixHomeDirectory and public keys etc..

sssd.conf:

[sssd]
domains = company.domain
config_file_version = 2
services = nss, pam, sudo, ssh
debug_level = 6

[domain/sew.online]
ad_hostname = EXAMPLESERVER01 #This is templated using ansible
ad_domain = company.domain
krb5_realm = COMPANY.DOMAIN
krb5_store_password_if_offline = true
use_fully_qualified_names = false
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
lookup_family_order = ipv4_only
cache_credentials = true
dns_discovery_domain = {{ prod_domain_name }}
create_homedir = true
auto_private_groups = true
ad_gpo_access_control = permissive
ad_gpo_cache_timeout = 30
ad_site = SITENAME
case_sensitive = false
enumerate = false
default_shell = /bin/bash
ldap_schema = ad
ldap_id_mapping = False
ldap_user_shell = loginShell
ldap_user_principal = samAccountName
ldap_user_ssh_public_key = altSecurityIdentities
ldap_user_home_directory = unixHomeDirectory
fallback_homedir = /home/%u

ldap_force_upper_case_realm = true
ldap_purge_cache_timeout = 0
ldap_account_expire_policy = ad
ldap_group_search_base = DN=etc...
ldap_user_search_base = DN=etc...
debug_level = 6

[nss]
fallback_homedir = /home/%u
reconnection_retries = 3
debug_level = 6

[pam]
offline_credentials_expiration = 3
offline_failed_login_attempts = 10
offline_failed_login_delay = 30
pam_verbosity = 3
pam_id_timeout = 10
pam_pwd_expiration_warning = 30
reconnection_retries = 3
debug_level = 6

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log

[libdefaults]
default_realm = COMPANY.DOMAIN
ticket_lifetime = 1d
renew_lifetime = 7d
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
allow_weak_crypto = false
permitted_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
kdc_timesync = 1
kdc_timeout = 3000
forwardable = true
renewable = true
proxiable = true
udp_preference_limit = 1
rnds = false

Here is a pastebin of the various sssd log files: https://pastebin.com/2P58uybg

The logs show a domain user who has already successfully logged in (via sshd and public key auth) try to run sudo bash

Other than passwords the ad integration works as desired:

• users can log in using their sAMAccountName
• if I run id username you can see usernames's groups with their gid's from active directory
• the computer object (added using adcli) shows in active directory
• there appears to be a valid kerberos ticket witht the computers SPN

As a troubleshooting step i configured LDAPS on the domain controllers with an internally trusted certificate added to ubuntu's ca store.

I have gone through the sudo logs (very verbose) and it shows the group successfully being matched and allowing the user sudo.

Any help appreciated.

Edit:

Host OS: Ubuntu 18.04

nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat systemd sss
group:          compat systemd sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

Packages installed for the ansible role:

• adcli
• krb5-user
• sssd
• sssd-tools
• sssd-ad
• sssd-krb5
• python3-sss
• libpam-sss
• libnss-sss
• libsss-sudo

If I do:

ssh -J jumphost.example.com target.example.com

I end up immediately logged on to 'target'.

If I use this ssh config file, using the newer ssh-7.3 jump config:

Host jump 10.1.*, targets*, *.example.com
  HostName jumphost.example.com
  IdentitiesOnly yes
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa

I end up logged into 'jumphost' not 'target'

They keychain stuff is for mac, I have tested without it and it makes no difference but thought I'd leave it in just in case.

We have two datacentres either side of the Atlantic with a 10Gb VPLS connection between sites with 80ms latency and better than 0.0000001% packet loss.

When moving VMs between datastores on either end of the link we are seeing exremely slow speeds, EG: 15MB/s.

We have confirmed the underlying performance of the storage arrays and have confirmed all the networks involved are running at 10Gb with throughput and packet loss tests. Local data transfers within the same vCenter are very quick. We have run iperf between VMs on each DC as well.

I assume this is due to a TCP windowing issue or something similar to how SMB/CIFS struggles with high letency links.

Is there any configuration within ESXi or vCenter to optimise this such as specifying larger buffers or larger window sizes?

We are running 6.5 Ent Plus with vCenters in enhanced link mode. These are sperate clusters and do have a stretched VLAN.

I have a template from CentOS 7 (1602) that I have deployed roughly 200 VMs using it until I noticed the issue, so it would be ideal to fix these VM's rather than start from scratch.

The VM's 'randomly' fail, usually between 7PM and 11PM, sometimes two nights in a row, sometimes not for a week or two. When one VM fails, most of them also fail. They seem to loose disk access. Rebooting the VM immediately solves the issue and it does not reoocur for at least 24 hours. Even when we don't reboot them till the next day they still reboot during this time period.

Some of the VM's have nothing installed on them and still have this issue. Root partition and boot partition are hardly used. Logs show no issues.

No other VMs are affected except this particular centos template. We are using VMWare 4 (I know, I know) but we have never had any issues other than this and new images have no issue. I see no spikes in CPU or disk use in VMWare around the failure.

Here is a screenshot as it fails:

Here is a screenshot when trying to access the VM after a number of minutes has elapsed:

Example bootstrap script used on these servers: http://pastebin.com/gs3AzV5m

I am in companyA. We have a bunch of Exchange 2010 servers.

We have accepted domains in our exchanged for: CompanyA CompanyB CompanyC Etc...

A lot of users have mailboxes that are outside an email address policy and have addresses for all of the above companies.

CompanyB decided they want to walk their on path and migrate to O365. We gave them the PSTs for their mailboxes, they restored them and we pointed the MX at 365 as well as removing the accepted domain.

Everything seemed fine until we realised a week later that even though we removed the accepted domain, mailboxes with [email protected] as an address were still getting mail sent to their internal mailbox. I also discovered that the mailboxes had not been disabled. I promptly removed the mailboxes for companyB in a effort to remove their email addresses from being visible to exchange in hope that it would only go external for that domain.

I did a Clean-MailboxDatabase and all of the above are now showing in disconnected mailboxes.

I removed the NK2 popup from outlook but am still getting errors because Exchange is acting as is the domain is an accepted authoritative domain. How do I force exchange to send all mail for this domain to the correct MX (external) and not look at the IMCEAEX?

#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

I am creating a install script for Sensu on Windows and am getting this error upon starting the service:

{
  "timestamp": "2016-04-14T23:05:45.043371+0100",
  "level": "warn",
  "message": "config file must be valid json",
  "file": "C:/opt/sensu/conf.d/client.json",
  "error": "unexpected character at line 1, column 1 [parse.c:652]"
}

This error is given on all JSON config files.

Here is my install script which successfully installs the msi and writes the files how I want them: http://pastebin.com/GgQsNcAX

Here is an example of a config file it output:

{
    "client": {
        "name": "Server1",
        "address": "1.1.1.1",
        "subscriptions": [ "none" ]
    }
}

Symbols:

Looks fine to me !?

Is it possible to nest basic auth? So that the parent folder and all subfolders can be accessed using one basic auth directive but subfolders have seperate auth

VHost config:

<VirtualHost *:80>
        ServerName subdomain.domain.com
        #
        #       Comment
        #
        ErrorLog "/var/log/httpd/analytics_prox_error_log"
        CustomLog "/var/log/httpd/analytics_prox_access_log" common
        SSLProxyEngine on
        SSLProxyVerify none
        ProxyRequests Off

        <Location />
                AuthType Basic
                AuthName "ProxyMain"
                AuthUserFile /var/www/analytics-auth/.htpasswd
                Require user datateam
                Satisfy any
                Deny from all
                Allow from 192.168.0.0/16 10.0.0.0/8
        </Location>

        <Location /folder1/>
                AuthType Basic
                AuthName "Proxy"
                AuthUserFile /var/www/analytics-auth/.htpasswd
                Require user mainuser folder1user
                Satisfy any
                Deny from all
                Allow from 192.168.0.0/16 10.0.0.0/8
        </Location>

        <Location /anotherfolder/>
                AuthType Basic
                AuthName "Proxy"
                AuthUserFile /var/www/analytics-auth/.htpasswd
                Require user mainuser anotherfolderuser
                Satisfy any
                Deny from all
                Allow from 192.168.0.0/16 10.0.0.0/8
        </Location>

        ProxyPass / https://1.1.1.1/
        ProxyPassReverse / https://1.1.1.1/
</VirtualHost>

The basic auth that is prompted for / is the same for all the sub folders and works correctly. (AuthMain) However if I browse to a specified folder such as folder1 i get the root basic auth and not the basic auth specific to that location

I have been setting up sensu on CentOS7.2 for the first time following the official docs over and over however I have not been able to get it to work:

I cannot seem to connect to the API. Uchiwa gives the error:

ALERT
Datacenter site1 returned:
Connection error. Is the Sensu API running?`

I have tried: curl -I http://localhost:4567/clients ...I do not get a response.

Here is /var/log/sensu/sensu-api.log http://pastebin.com/wHEHE0bH

I have been creating a script to make the setup repeatable. Please see my script below which shows my config: http://pastebin.com/QEt5Msku If you run the script on CentOS7 it should repeat this issue.

Fix:

Issue in answer below. After following a non official guide that successfully installed sensu on a fresh VM, I compared the two setup steps and after a couple of builds on fresh VMs swapping out the steps bit by bit I figured out replacing the repo with one from a non official guide that pointed to a slightly different URL fixed my problem (repo for CentOS6 but it works on 7, it just installs a non current verson 0.20.3).

echo '[sensu]
name=sensu-main
baseurl=http://repos.sensuapp.org/yum/el/6/x86_64/
gpgcheck=0
enabled=1' > /etc/yum.repos.d/sensu.repo

On a client machine such as OSX or Windows:

Do web browsers check the hosts file before refering to their DNS cache?

I am trying to figure out the full DNS 'route' in my mind.

• Hosts File
• Browser DNS Cache
• Local DNS Cache
• DNS Server
• Root Hints or Forwarding

Does it differ between browsers and OSs?

Just starting out with Ansible, I have set up an Asible user on the client machine and created a set of keys from OpenSSL. I am running Ansible under my own account. I have specified the user and private key file in the Ansible configuration. I want the remote commands to run as this user and this user to sudo to do commands requiring elevation.

/etc/ansible/ansible.cfg

private_key_file = /etc/ansible/pka/confman.crt
remote_user = confman

Commands such as this do not ask for passphrases after initial entry of passphrase:

ansible all -m ping

The following prompt for a passphrase every time I run them:

ansible all -m ping -b
Enter passphrase for key '/etc/ansible/private_keys/confman.crt':
(success)

ansible all -m ping --sudo
Enter passphrase for key '/etc/ansible/private_keys/confman.crt':
(success)

ansible all -a "cat /etc/redhat-release"
Enter passphrase for key '/etc/ansible/private_keys/confman.crt':
(success)

Why?

Is there any way to set the passphrase? Is there a more secure way? I plan to run ansible remotely and via cron and via other automation tools where entering a passphrase is not an option.

As context, I have never needed to SSH between Linux servers, always from a Windows machine using tools such as putty, RoyalTS and mRemoteNG so my ssh knowledge is... sparse. I assume I am missing something obvious.

Why does bind allow TTL to be set record by records if different TTLs are not allowed within the same record set?

If i set the zone ttl using:

$TTL 39600

And then set a record TTL using:

@        300     IN      A       1.1.1.1

I get the warning in my logs:

TTL set to prior TTL (300)

This is because I have "Different TTLs for records within the same record set, this is not allowed"

If this is not allowed, whats the point of being able to set TTL record by record?

Thanks

Apache currently interogates the user for their basic auth credentials, once the correct details are entered it passes basic auth credentials to the tomcat server it's proxying. This confuses the app which tried to use the basic auth creds as a login.

I would like to stop apache passing this information on.

I have configured apache using the following configuration:

<VirtualHost *:443>
    ServerName  app.company.co.uk
    SSLProxyEngine On
    ProxyRequests Off
    <Proxy *>
    Order deny,allow
    Deny from all
    Allow from all
    </Proxy>
    <Location />
            AuthType Basic
            AuthName "Basic Auth"
            AuthUserFile /var/path/.htpasswd
            Require user user
            Satisfy any
            Deny from all
            Allow from 172.16.0.0/21
    </Location>
    ProxyPreserveHost On
    ProxyPass / http://app.company.co.uk:7190/
    ProxyPassReverse / http://app.company.co.uk:7190/
</VirtualHost>

The goal is that external users can connect via HTTPS, go through basic auth on Apache and then view a proxies tomcat site.

I have set up a reverse proxy to a tomcat server running on the same machine on a different port with basic auth: (/etc/httpd/conf.d/vhost.conf)

NameVirtualHost *:80
<VirtualHost *:80>
    ServerName  sub.domainx.co.uk
    ErrorLog "/var/log/proxy/domainx_prox_error_log"
    CustomLog "/var/log/proxy/domainx_prox_access_log" common
    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Deny from all
        Allow from all
    </Proxy>
    <Location />
        AuthType Basic
        AuthName "Proxy Auth"
        AuthUserFile /var/www/syzygy-auth/CONFLUENCE/.htpasswd
        Require user ukuser
        Satisfy any
        Deny from all
        Allow from 192.168.0.0/21
   </Location>
   ProxyPass / http://sub.domainx.co.uk:8090/
   ProxyPassReverse / http://sub.domainx.co.uk:8090/
</VirtualHost>

The above works fine.

I then went about setting up mod_ssl on apache.

yum -y install mod_ssl

I then uploaded my wildcard ssl and made the dollowing changes to /etc/httpd/conf.d/ssl.conf

uncommented: 
DocumentRoot "/var/www/html"
uncommented/updated:
ServerName www.server.world:443
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key

These changes appear to have had the desired effect.

I can not view index.html via HTTPS and HTTP proxies the tomcat server.

When I add an identical vhost but with the port changed to 443 no changes take affect.

When I added SSLProxyEngine On apache would not start.

I got the following in the proxy error logs:

Fatal error initialising mod_ssl, exiting. See /var/log/proxy/domainx_prox_error_log for more information

Server should be SSL-aware but has no certificate configured

I am aware that usermod -g is not best practice from many posts like this however they normally explain the usermod should not be used as it changes the primary group of a user. These posts don't seem to take into account the -aG switch which just appends the group.

Is this still poor practice or no different than using gpasswd -a?

I would like to test the value of LimitRequestFieldSize in Apache 2.4.

I have tried setting it and was wondering if there was a straightforward way of calling its value from apache or testing it via a browser.

I have searched quite a lot for a solution and most answers pertain to either proxypass (reverse proxy) or are not relevant.

End users' web browsers are configured to use the Apache proxy server.

I want to redirect all users to an individual web page (on the same server if possible).

Mod_rewrite does not work as it is only triggered when a user tried to visit the proxy server. I want to redirect users trying to access external sites.

The current configuration is simple:

/var/httpd/conf.d/proxy.conf:

<VirtualHost *:*>
    ProxyRequests On
    ProxyVia On

    <Proxy *>
        Order deny,allow
        Deny from all
        Allow from 172.0.0.0/21
    </Proxy>
</VirtualHost>

I was thinking of blocking all requests and then setting a custom error page but cannot find any examples of this working.

Is it possible to replace content on every page passed through a proxy similar to how mod_rewrite is used for URLs? The documentation on substitute is not clear.

I have some pages I am reverse proxying that have absolute paths. This breaks the site. They need replacing and tools like mod_rewrite are not picking them up as they are not URL requests.

<VirtualHost *:80>
    ServerName  servername1
    ServerAlias servername2

    ErrorLog "/var/log/proxy/jpuat_prox_error_log"
    CustomLog "/var/log/proxy/jpuat_prox_access_log" common

    RewriteEngine on
    LogLevel alert rewrite:trace2
    RewriteCond %{HTTP_HOST} /uat.site.co.jp$ [NC]
    RewriteRule ^(.*)$ http://jp.uat.site2uk.co.uk/$1 [P]

    AddOutputFilterByType SUBSTITUTE text/html
    Substitute "s|uat.site.co.jp|jp.uat.site2uk.co.uk|i"


    ProxyRequests Off

    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>

    ProxyPass / http://uat.site.co.jp/
    ProxyPassReverse / http://uat.site.co.jp/
</VirtualHost>

Neither of the above works at replacing the HTML string

<link href="//uat.site.co.jp/css/css.css

with

<link href="//uat.site2uk.co.uk/css/css.css

Conf after changes:

<VirtualHost *:80>
    ServerName  jp.uat.site2uk.co.uk
    ServerAlias uat.site.co.jp
    ErrorLog "/var/log/proxy/jpuat_prox_error_log"
    CustomLog "/var/log/proxy/jpuat_prox_access_log" common
    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyPass / http://uat.site.co.jp/
    ProxyPassReverse / http://uat.site.co.jp/
    AddOutputFilterByType SUBSTITUTE text/html
    Substitute "s|uat.site.co.jp|jp.uat.site2uk.co.uk|ni"
</VirtualHost>

I am running a vmware environment (Version 4 unfortunately) which requires me to use a bios rom file in order to run server 2012. I upload it to the root folder of the VM after creation, before boot and change some config lines.

bios440.filename = bios.440.rom
mce.enable = TRUE
cpuid.hypervisor.v0 = FALSE
vmGenCounter.enable = FALSE 

Configuration Parameters and ROM from here

That works perfectly until I clone the VM or try and deploy a template. The file is not copied.

Is there any way to tell vmware that the file needs to be copied with the VM when cloning or deploying from template?

bios440.filename =[ESX-ISO (SAN1)] ROMs/bios.440.rom

Where the name of the datastore is ESX-ISO (SAN1)

I am migrating a file server form 2003 to 2012 R2.

There are about 50TB of files with thousands of individual permissions.

I have successfully migrated the files to the new server, including their permissions which remain intact.

I am having problems with permissions.

Lets take the Accounts folder for example: On the old file server, it is shared with the permission: Everyone Read The NTFS security is set to: Accounts Full Control Finance Read & Write

This results in users being able to see the shared folder Accounts but not accesss it or view it's contents unless they are in the accounts or finance groups.

On the new 2012 server, i got to advanced sharing, add the permission for everyone to read, and create the share. I then check the NTFS permissions for the folder, they are still intact, Accounts, Finance, thats it.

The problem is, everyone can read every file in that folder. It appears the share permissions are taking precedence over the NTFS permissions.

The same thing happens on the 100+ shares on the new server, it is not feasible for me to manually re-do all the permissions.

So, file server migration.

I've robocopied everything over and kept folder permissions intact, I have recreated the shared.

My question is I need a transparent way of switching all the users from the old server (GB-LON-FS1.domain) to the new server(s) GB-LON-FS4.domain.

people have to be able to access the files via \GB-LON-FS1...

My initial plan was to change the dns record for GB-LON-FS1 to FS4's IP address however I realise some users will have the old server's IP cached.

My other thought was to change FS4's IP to that of FS1 and leave the DNS alone.

Would there be issues with UNC paths if the server's hostname does not match the dans entry? I don't assume so.

Can you think of a more transparent way of doing this? All old UNC paths must remain the same. I would prefer to leave AD as is but let me know if hostnames have to change.

I also have FS3 which is DFS replicated from FS4, would it be worth adding two DNS records for FS1 and round robbining it or would there be issues.